The result of the EU referendum in the UK took many by surprise. The now real prospect of Brexit has raised many questions about its impact on the legal order in the UK, particularly directives and regulations enacted as a result of EU law And what about the General Data Protection Regulation (GDPR) that has just come into force but has not started to apply yet?

While the immediate thought may be to abandon your preparations for the GDPR, let me change your mind.

Four reasons to comply

1. UK businesses will continue to provide services or sell goods in EU countries after Brexit

Businesses will have to comply with the GDPR or face fines of up to 4 per cent of global turnover.

2. ‘regardless of whether the processing takes place in the Union or not’

The GDPR has vastly expanded the jurisdictional reach of the regulation by applying to those operators who offer goods or services to, or monitor, data subjects in the EU ‘regardless of whether the processing takes place in the Union or not’ (Article 3). This means that any organisation or business carrying out the above activities will have to comply with the GDPR.

3. GDPR will start to apply in May 2018

The UK will remain a full member of the EU until the negotiations on withdrawal are completed. As such, it will enjoy all its rights as a member and will have to comply with the legislation in force. Since the GDPR will start to apply in May 2018, we know that the UK will still be a member of the EU and will have to fully comply with the new regime.

4. Future relationship between the EU and UK

It’s still unclear what the future relationship between the EU and UK will look like. If the UK chooses to join the European Free Trade Association, it will continue to participate in the single market and would continue to apply the vast body of the EU law. If it chooses a different solution, the UK will be free to set its own data protection laws. However, in the case of data transfers between the EU and the UK, the UK will be treated as a third country under the GDPR and its data protection legislation would be assessed as to whether it provides adequate protection of personal data. This assessment is likely to be more positive when the UK maintains a high level of protection of personal data in line with the regime in force across the EU.